Release v2.0.3

ra/fsp/inc/fsp_version.h

@@ -44,16 +44,16 @@
 #define FSP_VERSION_MINOR (0U)
 
 /** FSP pack patch version. */
-#define FSP_VERSION_PATCH (2U)
+#define FSP_VERSION_PATCH (3U)
 
 /** FSP pack version build number (currently unused). */
 #define FSP_VERSION_BUILD           (0U)
 
 /** Public FSP version name. */
-#define FSP_VERSION_STRING          ("2.0.2")
+#define FSP_VERSION_STRING          ("2.0.3")
 
 /** Unique FSP version ID. */
-#define FSP_VERSION_BUILD_STRING    ("Built with Renesas Advanced Flexible Software Package version 2.0.2")
+#define FSP_VERSION_BUILD_STRING    ("Built with Renesas Advanced Flexible Software Package version 2.0.3")
 
 /**********************************************************************************************************************
  * Typedef definitions

ra/fsp/src/rm_tfm_port/ra/boot_hal.c

@@ -11,6 +11,7 @@
 #include "Driver_Flash.h"
 #include "region_defs.h"
 #include "bootutil/bootutil_log.h"
+#include "crypto_keys.h"
 
 #include "r_flash_hp.h"
 #include "r_flash_api.h"
@@ -80,12 +81,53 @@ __attribute__((naked)) void boot_clear_bl2_ram_area (void)
 
 #endif
 
+/*
+ * The below structure contains the hard coded version of the ECDSA P-256 secret key in:
+ * platform/ext/common/template/tfm_initial_attestation_key.pem
+ *
+ * As a P-256 key, the private key is 32 bytes long.
+ *
+ * This key is used to sign the initial attestation token.
+ * The secret key is stored in raw format, without any encoding(ASN.1, COSE).
+ *
+ * #######  DO NOT USE THIS KEY IN PRODUCTION #######
+ */
+
+const iak_data_t iak_data =
+{
+    {
+        0xA9, 0xB4, 0x54, 0xB2, 0x6D, 0x6F, 0x90, 0xA4,
+        0xEA, 0x31, 0x19, 0x35, 0x64, 0xCB, 0xA9, 0x1F,
+        0xEC, 0x6F, 0x9A, 0x00, 0x2A, 0x7D, 0xC0, 0x50,
+        0x4B, 0x92, 0xA1, 0x93, 0x71, 0x34, 0x58, 0x5F
+    },
+    MAX_IAK_BYTES,
+    PSA_ECC_CURVE_SECP_R1
+};
+
+/*
+ * The below structure contains the hard coded HUK
+ * and its size.
+ *
+ * #######  DO NOT USE THIS KEY IN PRODUCTION #######
+ */
+
+const huk_data_t huk_data =
+{
+    {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+    },
+    MAX_HUK_BYTES
+};
+
 /*
  * The section 'fsp_dtc_vector_table' is reused to store boot data.
  * This is done to avoid creating a BL2 specific linker script.
  */
-static uint8_t g_tfm_shared_data[BOOT_TFM_SHARED_DATA_SIZE] BSP_PLACE_IN_SECTION(".fsp_dtc_vector_table");
-static uint8_t g_tfm_shared_boot_seed[BOOT_TFM_SHARED_SEED_SIZE] BSP_PLACE_IN_SECTION(".fsp_dtc_vector_table");
+uint8_t g_dummy_reserve_for_tfm[BOOT_TFM_SHARED_DATA_TOTAL_SIZE] BSP_PLACE_IN_SECTION(".fsp_dtc_vector_table") = {0};
 
 #define FAW_START_ADDR    (0xFFFC)
 #define FAW_END_ADDR      (0x200000)
@@ -122,16 +164,18 @@ static void flash_FAW_Set (uint32_t start_addr, uint32_t end_addr)
 /* bootloader platform-specific HW intialization */
 int32_t boot_platform_init (void)
 {
-    int32_t result;
+    int32_t      result;
+    iak_data_t * p_initial_attestation = (iak_data_t *) BOOT_TFM_SHARED_IAK_BASE;
+    huk_data_t * p_huk                 = (huk_data_t *) BOOT_TFM_SHARED_HUK_BASE;
 
     result = FLASH_DEV_NAME.Initialize(NULL);
     if (ARM_DRIVER_OK != result)
     {
         return result;
     }
 
-    memset(g_tfm_shared_data, 0x0, BOOT_TFM_SHARED_DATA_SIZE);
-    memset(g_tfm_shared_boot_seed, 0x0, BOOT_TFM_SHARED_SEED_SIZE);
+    /* This line is necessary to prevent the compiler from optimizing out this area */
+    memset(g_dummy_reserve_for_tfm, 0x0, BOOT_TFM_SHARED_DATA_TOTAL_SIZE);
 
     /* Set the FAW to lock the Secure code and data region */
 
@@ -146,7 +190,14 @@ int32_t boot_platform_init (void)
     result = psa_crypto_init();
     if (PSA_SUCCESS == result)
     {
-        result = psa_generate_random(g_tfm_shared_boot_seed, BOOT_TFM_SHARED_SEED_SIZE);
+        result = psa_generate_random((uint8_t *) BOOT_TFM_SHARED_SEED_BASE, BOOT_TFM_SHARED_SEED_SIZE);
+    }
+
+    /* Copy the IAK and HUK from bootloader ROM into the shared RAM area for the application */
+    if (PSA_SUCCESS == result)
+    {
+        memcpy((uint8_t *) p_huk, (uint8_t *) &huk_data, sizeof(huk_data));
+        memcpy((uint8_t *) p_initial_attestation, (uint8_t *) &iak_data, sizeof(iak_data));
     }
 
     return result;

ra/fsp/src/rm_tfm_port/ra/crypto_keys.c

@@ -22,26 +22,12 @@
 #include "psa/crypto_types.h"
 #include "crypto_spe.h"
 #include "tfm_plat_defs.h"
+#include "region_defs.h"
+#include "crypto_keys.h"
 
 #define SHA256_LEN_BYTES    32
 
-extern const psa_ecc_curve_t initial_attestation_curve_type;
-extern const uint8_t         initial_attestation_private_key[];
-extern const uint32_t        initial_attestation_private_key_size;
-const uint8_t                tfm_key_derivation_prefix[] = "TFM_DERIVATION_PREFIX";
-
-/* HUK to be used for key derivation. */
-TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_CRYPTO")
-const uint8_t tfm_huk_key[] =
-{
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
-};
-
-TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_CRYPTO")
-const uint32_t tfm_huk_key_size = sizeof(tfm_huk_key);
+const uint8_t tfm_key_derivation_prefix[] = "TFM_DERIVATION_PREFIX";
 
 /**
  * \brief Copy the key to the destination buffer
@@ -78,6 +64,8 @@ enum tfm_plat_err_t tfm_plat_get_huk_derived_key (const uint8_t * label,
     uint8_t              hash[SHA256_LEN_BYTES] = {0};
     size_t               hash_len               = 0;
 
+    huk_data_t * p_huk = (huk_data_t *) BOOT_TFM_SHARED_HUK_BASE;
+
     /* Maximum derived-key size supported is 256 bits. */
     if (key_size > SHA256_LEN_BYTES)
     {
@@ -101,7 +89,7 @@ enum tfm_plat_err_t tfm_plat_get_huk_derived_key (const uint8_t * label,
         return TFM_PLAT_ERR_SYSTEM_ERR;
     }
 
-    if (PSA_SUCCESS != psa_hash_update(&operation, (const uint8_t *) tfm_huk_key, tfm_huk_key_size))
+    if (PSA_SUCCESS != psa_hash_update(&operation, p_huk->key, p_huk->key_size))
     {
         return TFM_PLAT_ERR_SYSTEM_ERR;
     }
@@ -121,19 +109,19 @@ enum tfm_plat_err_t tfm_plat_get_initial_attest_key (uint8_t          * key_buf,
                                                      struct ecc_key_t * ecc_key,
                                                      psa_ecc_curve_t  * curve_type)
 {
-    uint32_t key_size = initial_attestation_private_key_size;
-    int      rc;
+    iak_data_t * p_initial_attestation = (iak_data_t *) BOOT_TFM_SHARED_IAK_BASE;
+    int          rc;
 
-    if (size < key_size)
+    if (size < p_initial_attestation->key_size)
     {
         return TFM_PLAT_ERR_SYSTEM_ERR;
     }
 
     /* Set the EC curve type which the key belongs to */
-    *curve_type = initial_attestation_curve_type;
+    *curve_type = p_initial_attestation->curve_type;
 
     /* Copy the private key to the buffer, it MUST be present */
-    copy_key(key_buf, initial_attestation_private_key, key_size);
+    copy_key(key_buf, (uint8_t *) p_initial_attestation->key, p_initial_attestation->key_size);
     rc = 0;
 
     if (rc)
@@ -142,7 +130,7 @@ enum tfm_plat_err_t tfm_plat_get_initial_attest_key (uint8_t          * key_buf,
     }
 
     ecc_key->priv_key      = key_buf;
-    ecc_key->priv_key_size = key_size;
+    ecc_key->priv_key_size = p_initial_attestation->key_size;
 
     ecc_key->pubx_key      = NULL;
     ecc_key->pubx_key_size = 0;

ra/fsp/src/rm_tfm_port/ra/crypto_keys.h

@@ -0,0 +1,47 @@
+/***********************************************************************************************************************
+ * Copyright [2020] Renesas Electronics Corporation and/or its affiliates.  All Rights Reserved.
+ *
+ * This software and documentation are supplied by Renesas Electronics America Inc. and may only be used with products
+ * of Renesas Electronics Corp. and its affiliates ("Renesas").  No other uses are authorized.  Renesas products are
+ * sold pursuant to Renesas terms and conditions of sale.  Purchasers are solely responsible for the selection and use
+ * of Renesas products and Renesas assumes no liability.  No license, express or implied, to any intellectual property
+ * right is granted by Renesas. This software is protected under all applicable laws, including copyright laws. Renesas
+ * reserves the right to change or discontinue this software and/or this documentation. THE SOFTWARE AND DOCUMENTATION
+ * IS DELIVERED TO YOU "AS IS," AND RENESAS MAKES NO REPRESENTATIONS OR WARRANTIES, AND TO THE FULLEST EXTENT
+ * PERMISSIBLE UNDER APPLICABLE LAW, DISCLAIMS ALL WARRANTIES, WHETHER EXPLICITLY OR IMPLICITLY, INCLUDING WARRANTIES
+ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT, WITH RESPECT TO THE SOFTWARE OR
+ * DOCUMENTATION.  RENESAS SHALL HAVE NO LIABILITY ARISING OUT OF ANY SECURITY VULNERABILITY OR BREACH.  TO THE MAXIMUM
+ * EXTENT PERMITTED BY LAW, IN NO EVENT WILL RENESAS BE LIABLE TO YOU IN CONNECTION WITH THE SOFTWARE OR DOCUMENTATION
+ * (OR ANY PERSON OR ENTITY CLAIMING RIGHTS DERIVED FROM YOU) FOR ANY LOSS, DAMAGES, OR CLAIMS WHATSOEVER, INCLUDING,
+ * WITHOUT LIMITATION, ANY DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT, PUNITIVE, OR INCIDENTAL DAMAGES; ANY LOST PROFITS,
+ * OTHER ECONOMIC DAMAGE, PROPERTY DAMAGE, OR PERSONAL INJURY; AND EVEN IF RENESAS HAS BEEN ADVISED OF THE POSSIBILITY
+ * OF SUCH LOSS, DAMAGES, CLAIMS OR COSTS.
+ **********************************************************************************************************************/
+
+#ifndef CRYPTO_KEYS_H_
+#define CRYPTO_KEYS_H_
+
+#include "psa/crypto_types.h"
+#include "psa/crypto_values.h"
+
+/* Set this to 32 for now since we only support SECP256R */
+#define MAX_IAK_BYTES    32U
+
+#define MAX_HUK_BYTES    32U
+
+/** IAK definition */
+typedef struct st_iak_data_t
+{
+    uint8_t         key[MAX_IAK_BYTES];
+    uint32_t        key_size;
+    psa_ecc_curve_t curve_type;
+} iak_data_t;
+
+/** HUK definition. */
+typedef struct st_huk_data_t
+{
+    uint8_t  key[MAX_HUK_BYTES];
+    uint32_t key_size;
+} huk_data_t;
+
+#endif                                 /* CRYPTO_KEYS_H_ */

ra/fsp/src/rm_tfm_port/ra/partition/region_defs.h

@@ -130,12 +130,28 @@
  * with TF-M Secure code's MSP stack
  */
 #define BOOT_TFM_SHARED_DATA_BASE S_RAM_ALIAS_BASE
-#define BOOT_TFM_SHARED_DATA_SIZE (0x3E0)
+/* BOOT_TFM_SHARED_DATA_SIZE is used in the bl2 code as the total area reserved to save the
+ * attestation info. The actual shared data area will be defined by BOOT_TFM_SHARED_DATA_LIMIT
+ * which will contain other items as well. */
+#define BOOT_TFM_SHARED_DATA_SIZE (0x380)
+
 #define BOOT_TFM_SHARED_SEED_BASE (BOOT_TFM_SHARED_DATA_BASE + \
                                     BOOT_TFM_SHARED_DATA_SIZE)
 #define BOOT_TFM_SHARED_SEED_SIZE (0x20)
+
+#define BOOT_TFM_SHARED_HUK_BASE (BOOT_TFM_SHARED_SEED_BASE + \
+                                    BOOT_TFM_SHARED_SEED_SIZE)
+#define BOOT_TFM_SHARED_HUK_SIZE (0x30)
+
+#define BOOT_TFM_SHARED_IAK_BASE (BOOT_TFM_SHARED_HUK_BASE + \
+                                    BOOT_TFM_SHARED_HUK_SIZE)
+#define BOOT_TFM_SHARED_IAK_SIZE (0x30)
+
 #define BOOT_TFM_SHARED_DATA_LIMIT (BOOT_TFM_SHARED_DATA_BASE + \
                                     BOOT_TFM_SHARED_SEED_SIZE + \
+                                    BOOT_TFM_SHARED_HUK_SIZE + \
+                                    BOOT_TFM_SHARED_IAK_SIZE + \
                                     BOOT_TFM_SHARED_DATA_SIZE - 1)
 
+#define BOOT_TFM_SHARED_DATA_TOTAL_SIZE (BOOT_TFM_SHARED_DATA_LIMIT - BOOT_TFM_SHARED_DATA_BASE + 1)
 #endif /* __REGION_DEFS_H__ */

ra/fsp/src/rm_tfm_port/ra/tfm_initial_attestation_key_material.c

@@ -14,6 +14,7 @@
 #include "psa/crypto_values.h"
 
 #ifdef SYMMETRIC_INITIAL_ATTESTATION
+
 /*
  * This file contains the hard coded version of the secret key for HMAC.
  *
@@ -43,41 +44,9 @@ const uint8_t initial_attestation_hmac_sha256_key[] =
 
 TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
 const size_t initial_attestation_hmac_sha256_key_size =
-        sizeof(initial_attestation_hmac_sha256_key);
+    sizeof(initial_attestation_hmac_sha256_key);
 
 TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
-const char *initial_attestation_kid = "kid@trustedfirmware.example";
-#else /* SYMMETRIC_INITIAL_ATTESTATION */
-/*
- * This file contains the hard coded version of the ECDSA P-256 secret key in:
- * platform/ext/common/template/tfm_initial_attestation_key.pem
- *
- * As a P-256 key, the private key is 32 bytes long.
- *
- * This key is used to sign the initial attestation token.
- * The secret key is stored in raw format, without any encoding(ASN.1, COSE).
- *
- * #######  DO NOT USE THIS KEY IN PRODUCTION #######
- */
+const char * initial_attestation_kid = "kid@trustedfirmware.example";
 
-/* Type of the EC curve which the key belongs to, in PSA curve ID form */
-TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
-const psa_ecc_curve_t initial_attestation_curve_type = PSA_ECC_CURVE_SECP_R1;
-
-/* Initial attestation private key in raw format, without any encoding.
- * It belongs to the ECDSA P-256 curve.
- * It MUST be present on the device.
- */
-TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
-const uint8_t initial_attestation_private_key[] =
-{
-    0xA9, 0xB4, 0x54, 0xB2, 0x6D, 0x6F, 0x90, 0xA4,
-    0xEA, 0x31, 0x19, 0x35, 0x64, 0xCB, 0xA9, 0x1F,
-    0xEC, 0x6F, 0x9A, 0x00, 0x2A, 0x7D, 0xC0, 0x50,
-    0x4B, 0x92, 0xA1, 0x93, 0x71, 0x34, 0x58, 0x5F
-};
-
-TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION")
-const uint32_t initial_attestation_private_key_size =
-        sizeof(initial_attestation_private_key);
-#endif /* SYMMETRIC_INITIAL_ATTESTATION */
+#endif                                 /* SYMMETRIC_INITIAL_ATTESTATION */